Description
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.

The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.

Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.

In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
Published: 2026-06-10
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Metrics::Any::Adapter::DogStatsd versions prior to 0.04 for Perl fail to protect against metric injections, allowing an attacker to embed newline and control characters into metric streams or tags. This flaw enables the injection of arbitrary metrics or tag manipulation that can corrupt metric collection, lead to inaccurate monitoring data, or overload the monitoring system, effectively causing a denial of service on the metrics backend. The vulnerability is categorized as CWE-93, which involves improper neutralization of special elements used in a command or data input.

Affected Systems

The affected products are PEVANS::Metrics::Any::Adapter::DogStatsd 0.01 through 0.03 and any code that uses the underlying Metrics::Any::Adapter::Statsd component with the same vulnerability. Systems that incorporate these Perl modules for sending events to DogStatsd or similar statsd extensions are at risk if they have not upgraded to version 0.04 or later.

Risk and Exploitability

Because no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, the exact exploitation probability remains unknown. However, the attack vector is likely internal or application‑level; an attacker or malicious user who can send metrics to the vulnerable library can craft payloads containing newline and other control characters to trigger injection. The impact hinges on the availability of the metrics service and the ability to inject data, making the risk moderate to high for environments that rely on accurate monitoring for operational decisions.

Generated by OpenCVE AI on June 10, 2026 at 20:35 UTC.

Remediation

Vendor Solution

Upgrade to v0.04 or later.

OpenCVE Recommended Actions

  • Upgrade Metrics::Any::Adapter::DogStatsd to version 0.04 or later as the official cure
  • Ensure no legacy code paths still reference the pre‑0.04 library and test that the upgrade removes the vulnerability
  • Sanitize or restrict tag input before it reaches the metrics client to eliminate newlines and control characters if an immediate upgrade is not possible

Generated by OpenCVE AI on June 10, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
Title Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections
Weaknesses CWE-93
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-10T18:32:21.666Z

Reserved: 2026-06-05T12:07:20.886Z

Link: CVE-2026-50638

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T19:16:37.380

Modified: 2026-06-10T20:19:35.917

Link: CVE-2026-50638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:45:40Z

Weaknesses